Security Bug in BP Group Tags 2.0.3
I’m using BP 1.6.4 together with Group Tags 2.0.3 and found the following bug:
If you have a *hidden* BP Group and that hidden group has a group tag also belonging to a private group a *logged_in* member of the community is able to see that hidden group when he’s not member of that hidden group! It’s not the case if somebody is not logged in.
What’s the way to see the group? Click on a tag link (group header or widget cloud) or directly alter the URL (/groups/tag/blabla/) and you will get that hidden group in group directory. Click on the group name goes to 404 – but the group is not hidden that moment.
Workaround: don’t use group tags for hidden groups or wait for an update…
- The topic ‘Security Bug in BP Group Tags 2.0.3’ is closed to new replies.